Below we set out some questions that we think boards may want to consider, as part of an iterative process over time, as they develop their approaches to risk appetite and which will enable them to remain at the forefront of the discussion. One clear outcome from our consultation exercise was that, despite the expected variation in views on the technical aspects of risk appetite, there was a common acceptance of these questions as a useful starting point for board discussion.
- What are the significant risks the board is willing to take? What are the significant risks the board is not willing to take?
- What are the strategic objectives of the organisation? Are they clear? What is explicit and what is implicit in those objectives?
- Is the board clear about the nature and extent of the significant risks it is willing to take in achieving its strategic objectives?
- Does the board need to establish clearer governance over the risk appetite and tolerance of the organisation?
- What steps has the board taken to ensure oversight over the management of the risks?
➔ Designing A Risk Appetite
- Has the board and management team reviewed the capabilities of the organisation to manage the risks that it faces?
- What are the main features of the organisation’s risk culture in terms of tone at the top? Governance? Competency? Decision making?
- Does an understanding of risk permeates the organisation and its culture? 9. Is management incentivised for good risk management?
- How much does the organisation spend on risk management each year? How much does it need to spend?
- How mature is risk management in the organisation? Is the view consistent at differing levels of the organisation? Is the answer to these questions based on evidence or speculation?
➔ Constructing A Risk Appetite
- Does the organisation understand clearly why and how it engages with risks?
- Is the organisation addressing all relevant risks or only those that can be captured in risk management processes?
- Does the organisation have a framework for responding to risks?
➔ Implementing A Risk Appetite
- Who are the key external stakeholders and have sufficient soundings been taken of their views? Are those views dealt with appropriately in the final documentation?
- Has the organisation followed a robust approach to developing its risk appetite?
- Did the risk appetite undergo appropriate approval processes, including at the board (or risk oversight committee)?
- Is the risk appetite tailored and proportionate to the organisation?
- What is the evidence that the organisation has implemented the risk appetite effectively?
➔ Governing A Risk Appetite
- Is the board satisfied with the arrangements for data governance about risk management data and information?
- Has the board played an active part in the approval, measurement, monitoring and learning from the risk appetite process?
- Does the board have, or does it need, a risk committee to, inter alia, oversee the development and monitoring of the risk appetite framework?
The Journey Is Not Over – Final Thoughts
- What needs to change for the next time around?
- Does the organisation have sufficient and appropriate resources and systems?
- What difference did the process make and how would we like it to have an impact next time around?
Hungry For Risk?
The word “appetite” brings connotations of food, hunger and satisfying one’s needs. We think that this metaphor is not always helpful in understanding the phrase “risk appetite”. When those two words appear together we think it is more appropriate to think in terms of ‘fight or flight responses to perceived risks. Most animals, including human beings, have a ‘fight or flight’ response to risk. In humans, this can be overruled by our cognitive processes. Our interpretation of risk appetite is that it represents a corporate version of the same instincts and cognitive processes. However, since these instincts are not ”hardwired“ in our corporate “nervous and sensory” systems we use risk management as a surrogate.